Security
Highlighted

Preserve source hostname with f5 and rsyslog

Explorer

We are in the process of using two syslog servers to collect network data. We have an F5 that we use to load balance traffic to the two syslog servers. Data coming into the syslog servers from the F5 has the loadbalancer ip and not the source ip. How do we get around this since our templates/filters are looking for hostname or source ip to filter data.

0 Karma
Highlighted

Re: Preserve source hostname with f5 and rsyslog

Path Finder

Does your f5 add a "fowarded for:" header? this is the usual way of passing the ip to receiving servers and you could capture and log it

0 Karma
Highlighted

Re: Preserve source hostname with f5 and rsyslog

Path Finder
0 Karma
Highlighted

Re: Preserve source hostname with f5 and rsyslog

Ultra Champion

If it is UDP syslog, you can simply configure the F5 to keep the original IP address and not perform Source-NAT.

For TCP that is a bit more complicated, since TCP requires two-way communication and the responses from your syslog servers also need to run through your F5's, otherwise the sending devices will get confused as they get TCP responses from an unknown IP. It is possible though. I believe you need to put the F5 and your syslog servers in the same subnet and make the F5 the default gateway of your syslog servers. For details you probably best talk to the team managing your F5's, this is not really a Splunk issue.

Alternatively of course, you can try to make sure that all the original syslog devices properly put their hostname in the message. So you can use that, instead of the IP/hostname observed from the network layer.

0 Karma